Optimize your way to RCE with Chakra presented at GreHack 2019

by Bruno Keith,

Summary : As can be seen in recent years, JavaScript engine have been one of the main targets to compromise a browser. With public resources on the subject becoming more and more available, attackers have to dig deeper and deeper in order to find valuable bugs on their quest to achieve remote code execution. While searching you might end up with some super friendly bug that takes 30 mn to exploit using publicly documented techniques, other times you end up with something for which you have no clue how to exploit it. This talk will focus on such a bug I found and my process to turn it into a super reliable RCE. We will do a basic introduction of the bug but rather than focusing on the bug root cause, this talk will focus on the exploitation part and how attackers can go about turning limited primitives in better ones, repeating the process until they have all that is needed to achieve a reliable exploit.